"Notice: Undefined index:..." -Latest PHP is more strict?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

"Notice: Undefined index:..." -Latest PHP is more strict?

Postby triehard » 13. March 2012 22:48

Hi there. I switched to a new laptop, and installed latest Xampp. -Gone from Xampp 1.7.1 & MySQL 5.1.33 to Xampp 2.5 & MySQL 5.5.16 -PHP 5.3.8-
And now get a variety of:
"Notice: Undefined index: update in C:\xampp\htdocs\..\edit.php on line 4"
"Notice: Undefined variable: DBError in C:\xampp\htdocs\..\edit.php on line 107"
"Notice: Undefined variable: SuccMsg in C:\xampp\htdocs|..\edit.php on line 108"
alerts on many similar web site pages. There is info on how to prevent/correct that, but I can't find a why. Presumably the latest PHP is less forgiving ?
I prefer to improve my coding rather than to suppress notices.

Code is below, and helpful comments appreciated. Thanks.

/*
$id=isset($_POST['$id']) ? trim($_POST["$id"]) : ""; **to make no notice alert, need to change code to the isset or declare the vars isset-as per below !!

<?php error_reporting (E_ALL ^ E_NOTICE); ?> **or suppress notices
*/
<?php
//session_start();
include('../_dbconn/passwords.php');
if($_POST['update'])
//** if (isset($_POST['update']) )
{
//extract($_POST);// array used to extract variables and their values from an array
$id=trim($_POST['id']);
$apply=trim($_POST['apply']);
$pass=trim($_POST['pass']);
$user=trim($_POST['user']);
$comment=trim($_POST['comment']);

$con = dbconn_passwords(); //calling db connection.
$uQuery="UPDATE passwords SET id='$id', apply='$apply', pass='$pass', user='$user', comment='$comment' WHERE id = $id";
// execute the query
$rs=$con->query($uQuery);
if(!$rs)// failed executing query.. something is wrong so.. show it
{
$DBError="ERROR: failed executing query ".mysqli_error($con);
}
{
$SuccMsg="<script>alert(\"Entry has been edited Successfully\");</script>";
}
}
// display initial form with values pre-filled
if($_GET['id']) // if entry id is available from the data base
{
$id=$_GET['id'];
@$con = dbconn_passwords(); //calling db connection.
if(mysqli_errno($con))
{
$DBError="Error: Unable to connect to the database, Please contact the admin manager";
}
else // now we are connected to the database
{
$gQuery="SELECT * FROM passwords WHERE id = $id"; //
// execute the query
$rs=$con->query($gQuery);
if(!$rs)// failed executing query.. something is wrong so.. show it
{
$DBError="ERROR: failed executing query ".mysqli_error($con);
}
else
{
// read the data from the bd
$count=$rs->num_rows; // fetch object function that converts each row into a PHP object, & represents each col in that row as a property of that object
if($count>0)
{
$data=$rs->fetch_assoc();
$id=$data['id'];
$apply=$data['apply'];
$pass=$data['pass'];
$user=$data['user'];
$comment=$data['comment'];
}
else
{
echo "Record not found";
}
}
}
} //*** end of GET['id']
// form submitted
?>

<div align=center>
<form method="post" action="<? echo $PHP_SELF ?>">
<input type='hidden' name='id' value="<? echo $id ?>" />
<table width="550" style=\"font-face:Arial,sans-serif;font-weight:normal;color:#0000cc;font-size:9pt;padding-right:50px;\">
<tr>
<td colspan="2" style=\"font-face:Verdana,Arial,sans-serif;font-weight:normal;color:#006600;font-size:11pt;padding-left:70px;\"><br />Edit an Entry<br /></td>
</tr>
<tr>
<td class="label" align="right">Applicable to</td>
<td class="instruct">
<input type="text" name="apply" size="20" value="<? echo $apply ?>">
</td>
</tr>
<tr>
<td class="label" align="right">Password</td>
<td class="instruct">
<input type="text" name="pass" size="20" value="<? echo $pass ?>">
</td>
</tr>
<tr>
<td class="label" align="right">User</td>
<td class="instruct">
<input type="text" name="user" size="20" value="<? echo $user ?>">
</tr>
<tr>
<td class="label" align="right">Comment</td>
<td class="instruct">
<input type="text" name="comment" size="20" value="<? echo $comment ?>">
</td>
</tr>
<tr>
<td></td>
<td>
<input type="submit" name="update" value="Update">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a style='font-face:arial,verdana,sans-serif;font-weight:normal;color:#0000cc;font-size:11pt;padding-left:80px;text-decoration:none;' href="index.php">View Entries</a>
</td>
</tr>
</table>
</form></div>
<?php
// Display Error or Success Messages
echo ($DBError)?"<span class=\"error\">".$DBError."</span><br />":"";
echo ($SuccMsg);
?>
triehard
 
Posts: 10
Joined: 19. May 2009 02:59
Location: Auckland, New Zealand
Operating System: Windows 7 pro - 64bit - SP1

Re: "Notice: Undefined index:..." -Latest PHP is more strict

Postby Altrea » 14. March 2012 00:19

Hi triehard,

triehard wrote:but I can't find a why. Presumably the latest PHP is less forgiving ?

correct. The error_reporting is setted to the highest level on the current XAMPP Version. And thats a good thing i think.
On a development environment it is helpful to see everything, what is going wrong with the script.

Code: Select all
$id=isset($_POST['$id']) ? trim($_POST["$id"]) : "";

variable as array key, are you sure? id seems to be an integer, so i would use something like this:
Code: Select all
$id = isset($_POST['id']) ? (int)$_POST['id'] : false;


Code: Select all
if($_POST['update'])
   //** if (isset($_POST['update']) )

do you want to check either the update key exists or it has a posotive/true value?
In my opinion this would be better:
Code: Select all
if(!empty($_POST['update']))


Code: Select all
//extract($_POST);// array used to extract variables and their values from an array

Don't do! We are all very happy that register globals is part of the past now, so don't make it live again.

Code: Select all
$id=trim($_POST['id']);
$apply=trim($_POST['apply']);
$pass=trim($_POST['pass']);
$user=trim($_POST['user']);
$comment=trim($_POST['comment']);

For id i would use the code snipped i posted before.
For the other values, i have no idea which type of data they can have. But you should make use of validity checks and sanitize them as good as you can, especially if you use them without prepared statements in your database actions.

Code: Select all
$con = dbconn_passwords(); //calling db connection.
$uQuery="UPDATE passwords SET id='$id', apply='$apply', pass='$pass', user='$user', comment='$comment' WHERE id = $id";
$rs=$con->query($uQuery);
if(!$rs)// failed executing query.. something is wrong so.. show it
{
   $DBError="ERROR: failed executing query ".mysqli_error($con);
}
{
   $SuccMsg="<script>alert(\"Entry has been edited Successfully\");</script>"; 
}

There is an else missing :shock:
As i said, i would use a more up to date database adapter with more secure methods.
My favorites are PDO with prepared Statement or Doctrine 2
If you don't want to use a different database method, you should lern to use mysql_real_escape_string() on every string value in your database querys and (int) (float) or (double) on every numeric value (depending on the numeric type and precision)

Code: Select all
if($_GET['id']) // if entry id is available from the data base

if you have used the code from the beginning, you can now simply check:
Code: Select all
if($id)


Code: Select all
$id=$_GET['id'];

obsolet

Code: Select all
@$con = dbconn_passwords(); //calling db connection. 
if(mysqli_errno($con))
{
   $DBError="Error: Unable to connect to the database, Please contact the admin manager";
}   
else // now we are connected to the database
{
   $gQuery="SELECT * FROM passwords WHERE id = $id"; //
   // execute the query
   $rs=$con->query($gQuery);
   if(!$rs)// failed executing query.. something is wrong so.. show it
   {
      $DBError="ERROR: failed executing query ".mysqli_error($con);
   }
   else
   {
      // read the data from the bd
      $count=$rs->num_rows; // fetch object function that converts each row into a PHP object, & represents each col in that row as a property of that object
      if($count>0)
      {
         $data=$rs->fetch_assoc();
         $id=$data['id'];
         $apply=$data['apply'];
         $pass=$data['pass'];
         $user=$data['user'];
         $comment=$data['comment'];
      }
      else
      {
         echo "Record not found";
      }
   }   
}

Everything said about database methods is valid here too, especially validate id before you use it in a database query, or sanitize it with (int).

Code: Select all
<form method="post"  action="<? echo $PHP_SELF ?>">

Don't use short_open_tag because otherwise you will make your code dependend on a php setting.
$PHP_SELF isn't valid any more. Use $_SERVER['PHP_SELF'] and sanitize it with htmlspecialchars or htmlentities for security reasons:
Code: Select all
<form method="post" action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>">


Code: Select all
<table width="550" style=\"font-face:Arial,sans-serif;font-weight:normal;color:#0000cc;font-size:9pt;padding-right:50px;\">

Use CSS instead of inline styling for clearness reasons.

Code: Select all
<td class="label" align="right">Applicable to</td>

Why not use <label>?

Code: Select all
<input type="submit" name="update" value="Update">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a style='font-face:arial,verdana,sans-serif;font-weight:normal;color:#0000cc;font-size:11pt;padding-left:80px;text-decoration:none;' href="index.php">View Entries</a>

using &nbsp; for styliing reasons is really bad practice.

best wishes,
Altrea
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 11926
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 11 Pro x64

Re: "Notice: Undefined index:..." -Latest PHP is more strict

Postby triehard » 14. March 2012 22:43

Thanks Altrea, I will work through your helpful guidance. this coding is a few years old, and I am getting back to dabbling with code again. I appreciate your input. cheers !
triehard
 
Posts: 10
Joined: 19. May 2009 02:59
Location: Auckland, New Zealand
Operating System: Windows 7 pro - 64bit - SP1


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 136 guests